Rare Program to Rare IP
The Rare Program to Rare IP Detector looks for a combination of a rare program hashes executed and traffic with rare destination IP addresses on a single host within the same time period.
Rare Program and Rare IP Alert
If there is a correlation—that is, the process id and process time window of the process and destination IP address match—between the destination IP and the rare program for the same host, an alert is sent to the Secureworks® Taegis™ XDR Alert Database and Dashboard. The recommended action for an alert is to pivot on the host or source IP address listed in the alert and to look into the user that executed the process listed in the alert.
Rare is defined as unique within the entire XDR data lake within a period of 60 days. Rare doesn’t necessarily mean the program is malicious. Adversaries might craft a weaponized valid program or even deploy outdated and vulnerable programs to exploit these. At the same time, unsuccessful patch management might also leave outdated programs behind that this detector potentially could surface. Therefore the detection helps increase visibility to potential entry vectors for adversaries.
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
- Netflow
- Process
Inputs ⫘
Detections are from the following normalized sources:
- Netflow, Process
Outputs ⫘
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category ⫘
- MITRE Enterprise ATT&CK - Command and Control - Application Layer Protocol. For more information, see MITRE Technique T1071.
- MITRE Enterprise ATT&CK - Command and Control - Non-Application Layer Protocol. For more information, see MITRE Technique T1095.
Detector Testing ⫘
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
FROM alert WHERE metadata.creator.detector.detector_id='app:detect:rare-process-to-rare-ip'
References ⫘